cancel
Showing results for 
Search instead for 
Did you mean: 
kdevmu
Level 7
Report Inappropriate Content
Message 1 of 8

SIEM Noise Filtering

Jump to solution

Hello Everyone,

This question is in reference to the Firewall monitoring by SIEM.

Just wanted to check with you guys that how broadcast traffic is taken care by SIEM? Is it filtered at Agent level or carried out to the SIEM and then filtered by SIEM? Apart from broadcast events what all other events which can be considered as a noise traffic?

According to the compliance (PCI/FISMA/SOX etc), broadcast event traffic logs need to be preserved or it can be filtered and not sent to the SIEM?

It would be great if you can let me know the best practices to deal with noise traffic.

Regards,

KD

1 Solution

Accepted Solutions
Highlighted
McAfee Employee andy777
McAfee Employee
Report Inappropriate Content
Message 6 of 8

Re: SIEM Noise Filtering

Jump to solution

I won't claim to have PCI expertise, but reading section 10 highlights logging activity related directly to accessing PII and cardholder data. The only way I can imagine broadcasts being relevant is if they were somehow used as part of some sort of attack that was involved in accessing the data. You'll need to determine how likely that is to happen in your environment and weigh that against the resources required to store those events.

View solution in original post

7 Replies
McAfee Employee andy777
McAfee Employee
Report Inappropriate Content
Message 2 of 8

Re: SIEM Noise Filtering

Jump to solution

Excellent question. Too many people conflate log management and SIEM and fail to filter low value events from the SIEM. You have a few options:

1. Disable broadcast logging at the firewall by creating rules without logging flags.

2. Using Receiver filters, send the low value logs directly to the ELM without being parsed.

3. Using Receiver filters, drop the low value logs before they are processed by the Receiver.

This KB has some good examples for Receiver filter including filtering out Windows machine accounts.

kdevmu
Level 7
Report Inappropriate Content
Message 3 of 8

Re: SIEM Noise Filtering

Jump to solution

Thank you for your quick response Andy.

So how's the flow of communication here? Firewall sends syslogs to the Agent (Receiver Filter here?) and further it sends it to ELM which maintains the logs?

Does it require to store broadcast traffic events (on ELM I believe) for meeting the compliance standards?

McAfee Employee andy777
McAfee Employee
Report Inappropriate Content
Message 4 of 8

Re: SIEM Noise Filtering

Jump to solution

1. The Firewall sends syslog to the Receiver

2. The Receiver matches the log against a regex filter for any special handling

3. If it matches the filter, the log may be tagged for only parsing, only logging or dropped.

3a. (It may also be tagged with a custom tag that can be queried and used as a filter, but that's off-topic for this).

4. If it does not match, it will be processed per the Parsing/Logging box status configured on the Data Source.

5. Parsed logs are parsed at the Receiver, as well as aggregated, tagged with normalization category, geolocation and any data enrichment and inserted into the local Receiver's database.

6. The ESM queries the Receiver for the logs at the configurable interval (default 10 min) for any new events since the previous query and inserts them into the ESM database.

6. Separately, raw logs destined for the ELM/ELS are packaged up and sent every 5 minutes.

7. The log manager will then digitally sign the logs and move them to the configured storage pool.

> Does it require to store broadcast traffic events (on ELM I believe) for meeting the compliance standards?

Maybe; can you tell me what "it" is in this context please?

kdevmu
Level 7
Report Inappropriate Content
Message 5 of 8

Re: SIEM Noise Filtering

Jump to solution

Thanks for the information Andy.

> Does it require to store broadcast traffic events (on ELM I believe) for meeting the compliance standards?

Here I am referring to PCI Compliance. So let me reiterate the question again. As per the PCI Compliance, actual logs need to be preserved for one year of time so even the broadcast traffic needs to be stored and maintained?

Highlighted
McAfee Employee andy777
McAfee Employee
Report Inappropriate Content
Message 6 of 8

Re: SIEM Noise Filtering

Jump to solution

I won't claim to have PCI expertise, but reading section 10 highlights logging activity related directly to accessing PII and cardholder data. The only way I can imagine broadcasts being relevant is if they were somehow used as part of some sort of attack that was involved in accessing the data. You'll need to determine how likely that is to happen in your environment and weigh that against the resources required to store those events.

View solution in original post

kdevmu
Level 7
Report Inappropriate Content
Message 7 of 8

Re: SIEM Noise Filtering

Jump to solution

Hi Andy,

Have one more question. If there is a DOS or DDOS attack on the monitored device, will agent do any filtering by stopping forwarding of all DOS events and just send may be first and last event of attack along with count of DOS events or forward all the DOS events to collector?

Re: SIEM Noise Filtering

Jump to solution

Hi All,

I have created a filter rule to filter out the low-value events from ESM but keep them in ELM. I did it as it was given on the McAfee site. However, initially it was happening properly and event count of that particular event decreased but from last two days it is continuously increasing. Could you please suggest what is happening and what can be done to completely filter the events. 

 

Thanks

More McAfee Tools to Help You
  • Subscription Service Notification (SNS)
  • How-to: Endpoint Removal Tool
  • Support: Endpoint Security
  • eSupport: Policy Orchestrator
  • Community Help Hub

      New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.

    • Find Forum FAQs
    • Learn How to Earn Badges
    • Ask for Help
    Go to Community Help

    Join the Community

      Thousands of customers use the McAfee Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:

    • Get helpful solutions from McAfee experts.
    • Stay connected to product conversations that matter to you.
    • Participate in product groups led by McAfee employees.
    Join the Community
    Join the Community